API Documentation

Programmatic access to SOURCE for M2M integrations, AI agents, and automation.

Authentication

SOURCE uses Bearer tokens for API authentication. Include your token in theAuthorization header.

HTTP Header

Authorization: Bearer source_abc123...

Token Types

Access Token: Generated after purchasing a package. Used to download packages you've purchased.

CLI Token: Created in Settings → Tokens. Used for publishing packages and API access.

For AI Agents: Create a dedicated CLI token with read scope for downloading packages. Store it securely in your environment variables.

Base URLs

Web APIhttps://source.software/api

Registry Proxyhttps://registry.source.software

Endpoints Overview

Method	Endpoint	Auth
GET	/api/packages	Optional
GET	/api/packages/{scope}/{name}	Optional
GET	/@{scope}/{name}	Bearer Token
GET	/@{scope}/{name}/-/{name}-{version}.tgz	Bearer Token
GET	/api/auth/cli/tokens	Session
POST	/api/auth/cli/tokens	Session
DELETE	/api/auth/cli/tokens	Session

Registry Proxy

The registry proxy at registry.source.software implements the npm registry protocol. It validates access tokens before serving package data.

Get Package Metadata

GET/@{scope}/{name}

curl -H "Authorization: Bearer source_YOUR_TOKEN" \
  https://registry.source.software/@source/secure-auth

Download Tarball

GET/@{scope}/{name}/-/{name}-{version}.tgz

curl -H "Authorization: Bearer source_YOUR_TOKEN" \
  -o package.tgz \
  https://registry.source.software/@source/secure-auth/-/secure-auth-1.0.0.tgz

Response: Payment Required

If your token doesn't have access, you'll receive a 402 response with purchase information:

402Payment Required

{
  "error": "payment_required",
  "message": "Access to @source/secure-auth requires payment",
  "purchase_url": "https://source.software/packages/source/secure-auth",
  "price": "$29/mo"
}

Version-Locked Access: If your purchase was locked to a specific version, attempting to download a different version returns 403 Forbidden.

Packages API

List Packages

GET/api/packages

Query parameters:

scope	Filter by scope (e.g., "source", "expert")
pricing_model	Filter by pricing: "subscription", "ppv", "ai_license"
certified	Filter certified packages: "true"
limit	Results per page (default: 20, max: 100)
offset	Pagination offset (default: 0)

Example Response

{
  "packages": [
    {
      "id": "uuid",
      "name": "secure-auth",
      "scope": "source",
      "fullName": "@source/secure-auth",
      "description": "Enterprise authentication library",
      "isCertified": true,
      "pricingModel": "subscription",
      "priceMonthly": 29,
      "owner": "johndoe",
      "createdAt": "2026-01-01T00:00:00Z"
    }
  ],
  "total": 42,
  "limit": 20,
  "offset": 0
}

Get Package Details

GET/api/packages/{scope}/{name}

curl https://source.software/api/packages/source/secure-auth

Response includes versions

{
  "id": "uuid",
  "fullName": "@source/secure-auth",
  "versions": [
    { "id": "uuid", "version": "1.2.0", "downloads": 1500, "createdAt": "..." },
    { "id": "uuid", "version": "1.1.0", "downloads": 3200, "createdAt": "..." }
  ],
  "latestVersion": "1.2.0",
  "hasAccess": false,
  ...
}

CLI Tokens API

Manage CLI tokens programmatically. Requires session authentication (web login).

Create Token

POST/api/auth/cli/tokens

Request body:

{
  "name": "CI/CD Pipeline",
  "scopes": ["read", "publish"],
  "expiresInDays": 90
}

Scopes: publish (upload packages),read (download packages),admin (full access)

201Response

{
  "token": "source_abc123...",  // Only returned once!
  "id": "uuid",
  "expiresAt": "2026-04-10T00:00:00Z"
}

Important: The raw token is only returned once upon creation. Store it securely immediately.

Error Handling

Errors follow RFC 7807 (Problem Details).

Error Response Format

{
  "type": "unauthorized",
  "title": "Unauthorized",
  "status": 401,
  "detail": "You must be logged in to view CLI tokens"
}

Common Status Codes

400Validation Error - Check request body

401Unauthorized - Missing or invalid token

402Payment Required - Purchase needed

403Forbidden - No access to resource

404Not Found - Resource doesn't exist

429Too Many Requests - Rate limited

Rate Limits

Endpoint	Limit
Package downloads	1000/hour
API requests	100/minute
Token creation	10/hour
Package uploads	10/hour

Rate limit headers are included in responses:X-RateLimit-Remaining

Code Examples

Node.js / TypeScript

const SOURCE_TOKEN = process.env.SOURCE_TOKEN;

// List available packages
const response = await fetch('https://source.software/api/packages?certified=true');
const { packages } = await response.json();

// Download a package (via npm)
// Configure npm first: npm config set @source:registry https://registry.source.software
// Then: npm install @source/secure-auth

// Or fetch directly
const tarball = await fetch(
  'https://registry.source.software/@source/secure-auth/-/secure-auth-1.0.0.tgz',
  { headers: { Authorization: `Bearer ${SOURCE_TOKEN}` } }
);

Python

import os
import requests

SOURCE_TOKEN = os.environ.get('SOURCE_TOKEN')

# List packages
response = requests.get('https://source.software/api/packages', params={
    'scope': 'source',
    'certified': 'true'
})
packages = response.json()['packages']

# Download tarball
headers = {'Authorization': f'Bearer {SOURCE_TOKEN}'}
tarball = requests.get(
    'https://registry.source.software/@source/secure-auth/-/secure-auth-1.0.0.tgz',
    headers=headers
)
with open('package.tgz', 'wb') as f:
    f.write(tarball.content)

cURL

# Set your token
export SOURCE_TOKEN="source_abc123..."

# List packages
curl "https://source.software/api/packages?limit=10"

# Get package details
curl "https://source.software/api/packages/source/secure-auth"

# Download package
curl -H "Authorization: Bearer $SOURCE_TOKEN" \
  -o package.tgz \
  "https://registry.source.software/@source/secure-auth/-/secure-auth-1.0.0.tgz"

Need Help?

For API support or integration questions, reach out to us.

api@source.software|Discord